Its Not Paranoia When Its the Truth

Security environment encourages assumption that no network resource is safe.

When it comes to computer and network security, Im moving toward the doctrine adopted by Sangamon Taylor for nighttime bicycle safety. "I assume Im wearing fluorescent clothes, and theres a million-dollar bounty going to the first driver who manages to hit me. And I ride on that assumption," says Neal Stephensons fictional toxic-waste vigilante in the 1988 novel, "Zodiac."
Taylors approach is beginning to seem like the only viable strategy for Internet self-defense. "I assume that everyone in a car is out to get me," Taylor ruminates. "My nighttime attitude is, anyone can run you down and get away with it." If your safety depends on anyone perceiving that youre in danger, and actually making any effort not to kill you, he concludes, "youve already blown it." Bingo.

Thats the network environment in which we live, where even the aggregate bandwidth consumed by millions of Windows Update users is beginning to look like a denial-of-service attack on the Internet as a whole. The cure is almost as bad as the disease.

In fact, so hostile has the environment become that the anti-virus instructions page at MIT, in Cambridge, Mass., instructs all users of Institute facilities: "To prevent your machine from being compromised while you are applying the patch, Network Security encourages users to implement port filtering described at http://web.mit.edu/net-security/prevent-reinfection.html." Based on eWEEK Labs experience during past worm episodes, Id call that good advice: Weve seen systems attacked multiple times during the period required to download the latest patches following an out-of-the-box installation.
What really drove the point home was a little item I saw at The Inquirer, concerning the ease with which an attacker can reinstall a vulnerable version of an ActiveX control that might have been previously, conscientiously, removed from a machine. "If some evil mail or website tries to introduce it to your system youll get the standard popup, much like the one you get on Office Update," observed writer Rick Reroy, continuing, "Click Yes, and your computer is ripe for a reinstallation. You can save that click if you on a previous occasion checked the box that says Always trust content from Microsoft Corporation (what were you thinking?)"
Im thinking that the system not only comes out of the box unsafe, it almost appears designed to ensure that it stays that way.
And if I may borrow Reroys question, Id like to know what Microsoft itself is thinking when it cant even give consistent warnings on its own Web pages concerning the latest RPC-borne worm. At one URL, the company warns its enterprise and developer customers that "Microsoft tested Windows Millennium Edition, Windows NT Workstation 4.0, Windows NT Server 4.0, Windows NT Server 4.0, Terminal Server Edition, Windows 2000, Windows XP and Windows Server 2003 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities."
That same page, however, offers a link to an "end user version" of this bulletin, where we learn that "Windows 98, Windows 98 Second Edition (SE), and Windows 95 also are not affected by this issue. However, these products are no longer supported." Am I the only one who finds the second statement much more useful than the first, and wonders why enterprise buyers dont get the same story right up front?
What Im also thinking is that its worth the effort to dismiss, many times an hour, the warnings that I get from Norton Internet Security about whats attempting to access my system, and how. Im thinking that its worth the effort to "stealth" all of my ports to minimize the chance that an attack even comes my way. Im thinking like a bicyclist on a dark night on Storrow Drive, winding along the Charles River between Boston and Cambridge, as the bars close and the drunks all head for home.
At least, for the most part, the drunks actually had to pass a driving test: Too many Internet users lack even that level of preparation.
So you might as well behave as if theyre all out to get you on purpose. Accident or malice, it doesnt much matter when the bumper hits you in the back.
Tell me how you stay alive out there.

Peter Coffee is Director of Platform Research at salesforce.com, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.